Skip to main content
close search
site logo
Dive Brief

PowerSchool data breach possibly exposed student, staff data

The cloud-based K-12 software provider confirmed a compromised credential was used to access its PowerSource customer support portal.

Published Jan. 10, 2025
Anna Merod's headshot
Reporter
A single opened padlock glows red among rows of closed blue padlocks.
It remains unknown how many school districts were impacted in a December data breach tied to a "potential" cybersecurity incident at PowerSchool. JuSun via Getty Images

First published on

K-12 Dive

Dive Brief:

  • PowerSchool became aware of a “potential” cybersecurity incident on Dec. 28 involving the unauthorized access of some student and staff information through its PowerSource service, the company confirmed to K-12 Dive on Thursday. PowerSource is a customer support portal for district and school staff. 
  • A PowerSchool spokesperson said in an emailed statement that “the incident is contained and we do not anticipate the data being shared or made public.” The company said the incident was not a ransomware attack. 
  • When asked about the scope of this data breach, PowerSchool did not comment on the number of students, teachers or school districts impacted by the incident. A growing number of districts — including San Diego Unified School District and Massachusetts’ Lenox Public Schools — are publicly reporting they’ve been alerted by PowerSchool that their data was accessed by the threat actor. 

Dive Insight:

The hacker is believed to have gained unauthorized access to two tables with family and teacher information from PowerSchool’s Student Information System database, the company said. 

That includes personally identifiable data such as contact information like the names and addresses of families and educators. For some teachers and families, information like Social Security numbers and medical data were also exposed.

PowerSchool’s cloud-based systems are used by over 55 million students and 17,000 educational customers in more than 90 countries. 

As PowerSchool is reaching out to affected schools, local news reports are rolling out in various parts of the nation regarding the company’s notifications to school districts they’ve been impacted by the data breach. This includes statewide reports from the North Carolina Department of Public Instruction and the Alabama Department of Education

Evidence suggests the data breach occurred after an unauthorized party used a compromised credential to access PowerSource, according to the PowerSchool spokesperson.

In a Thursday webinar with school district officials, PowerSchool officials noted they’re still investigating how those credentials were compromised. However, it appears that the credentials were available on the dark web for a “period of time well before the attack,” said Mishka McCowan, VP of information security and CISO of PowerSchool, during Thursday's webinar.

PowerSchool officials said the company is working with CrowdStrike, a cybersecurity company, to investigate the situation. One of the services CrowdStrike is providing to PowerSchool is dark web monitoring. CrowdStrike previously found itself at the center of controversy in the summer of 2024 when a defective software update for its Falcon platform led to a global IT network outage

The PowerSchool data breach comes at a time when schools are increasingly on edge about protecting networks that hold the sensitive information of students and staff. 

Before the cybersecurity incident, PowerSchool signed the Future of Privacy Forum and the Software & Information Industry Association’s student privacy pledge. The pledge, which has 484 signatories from varying organizations, was created to protect students’ privacy in the collection, maintenance and use of their personal information. 

Moving forward, PowerSchool officials said during the Thursday webinar that it will work with impacted districts on how to communicate the incident with their school communities. The company is also working to offer credit monitoring support.

Additionally, Michael Bisignano, chief legal officer at PowerSchool, advised district leaders during the webinar to reach out to their cyber insurance brokers

“You should certainly interact with your insurance brokers in that regard and speak with them about the best circumstance for you,” Bisignano said, adding that notifying an insurance carrier doesn’t necessarily mean the district is asking to receive coverage for anything. Rather, he said, it’s just an initial step and districts aren’t obligated to do it.

Filed Under: Breaches

Editors' picks

Company Announcements

View all | Post a press release
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Editors' picks
Latest in Breaches
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.